Privacy, National Security, and Mass Surveillance

National Security and Privacy in cyberspace can be perceived as opposites depending on the audience and perceptions. Understanding the foundational structure of each principle objectively can bring significant comprehension to opposite parties.

Without understanding the core reasons of why certain types of data must be secret, it becomes extremely difficult for governments, the military, industry, and ultimately the people to view privacy as both a protector of freedom and also a force in the protection of national security and power projection.

How does government mass surveillance in cyberspace cross through the domains of privacy and national security with minimal effect in a way where people trust the government? Is it really possible to deploy a conscientious mass surveillance program with minimal loss of trust from the people being served?

If privacy is not protected while performing mass surveillance for national security purposes, then the people’s level of trust in the government decreases.

Can There Be Security with Privacy?

First and foremost, it seems that the definition of privacy is considered by many scholars as cloudy, complex, and subjective. “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”[1]

Privacy is a value, a perception of how one wants to be viewed by society. At the crux of this value is control. It would be wise to say that true privacy can only be achieved through one’s control of this societal perception of one’s life. This perceived value could be corrupted by a system whose core intent is to affect or control societal perception:

“The Obama administration’s ‘International Strategy for Cyberspace’ (.pdf)… presents concepts and ideals on a cluster of diplomatic, commercial, and security issues related to the global information space that the Internet and its environs have become.”[2]

As stated in the White House’s International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World:

“People must have confidence that data will travel to its destination without disruption. Assuring the free flow of information, the security and privacy of data, and the integrity of the interconnected networks themselves are all essential to American and global economic prosperity, security, and the promotion of universal rights.”[3]

The strategy from the White House clearly indicates the co-existence of security and privacy of data. It gives the people assurance of privacy of data while still enforcing the security and integrity of data in motion and at rest. What the strategy fails to expand upon is the how of things. “Our strategy marries our obligation to protect our citizens and interests with our commitment to privacy.”[4]

Secrecy

As the stated by the famous Carl von Clausewitz: “The backbone of surprise is fusing speed with secrecy.” At the core of national security lies the concept of secrecy: the notion that not all data must be shared or hidden from the powers that be.

Not all things must be known to all people; otherwise, the very principle of privacy would be corrupted. Both the people and the government should have rights to control perception and to conceal the truth to an extent that may conserve freedom and protect liberty. But, how does one find the ideal balance between the two noble values of national security and privacy through the deployment of programs such as mass data collection via the cyber spectrum?

Collection Through a Chaotic Environment

The Internet was developed with protocols that foster information sharing and obfuscation (lack of attribution) but without built-in security. The medium had to be transformed in order to create the ideal environment for data collection to take place.

This natural evolution in cyberspace was created by security companies, scientists, government, and the private sector with the goal of adding security to a naturally open and anonymous Internet. Protocols such as IPSec and strong crypto systems created the illusion of privacy for both the people and the government. Now the masses can hide their data through strong secure protocols, and now the people can perform financial transactions through VPN tunnels and maintain confidentiality and integrity of data.

However, now criminal organizations and terrorists can also hide their communications through the usage of the very same secure protocols. Here lies the conundrum: should the state compromise the so-called secure protocols in the name of national security? If so, how can the state weaken these protocols without losing public trust?

There is a school of thought from the “Department of Defense for Operating in Cyberspace” that sees cyberspace, the Internet, as an operational domain where wars can be fought and national security can be preserved. It states the following:

The U.S. military’s ability to use cyberspace for rapid communication and information sharing in support of operations is a critical enabler of DoD missions. More broadly, DoD’s depth of knowledge in the global information and communications technology sector, including its cybersecurity expertise, provides the Department with strategic advantages in cyberspace.[5]

The “ability to use cyberspace” should be stressed. The only way to truly have the strategic advantage in cyberspace is through freedom of maneuver through and in cyberspace. Privacy may hinder maneuverability through cyberspace, thus compromising the mission of an entire military, which has the primary goal of saving lives.

In the next article in this three-part series, the author shares insights provided by some of the 31,000 CSFI members who were asked, “In your opinion, how can privacy and national security co-exist in harmony in the contested domain of cyberspace?” – Stay tuned!

Editor’s Note:The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

About the Author:Paul de Souza, CCSE, NSA-IAM, BCCPP, Sec+, Net+, CHCP, SANs E-Warfare, JNCIA-FWV. Mr de Souza is the Founder/President/Director of CSFI (Cyber Security Forum Initiative) and its divisions CSFI-CWD (Cyber Warfare Division) and CSFI-LPD (Law and Policy Division). He served as a Federal Director of Training and Education for Norman Data Defense Systems and he also teaches PSSL 6247 Cyber Defense Strategies at George Washington University. Mr de Souza has over 15 years of cyber security experience and has worked as a Chief Security Engineer for AT&T, where he designed and approved secure networks for MSS. Mr de Souza also worked for CSC and US Robotics as a Security Engineer. He has consulted for several governments, military organizations and private institutions on best network security practices and also presented in Estonia, the country of Georgia, Australia, Czech Republic, Belgium,Spain, Sweden, Israel, and all across the United States.

About CSFI:CSFI, founded in 2009, is a nonprofit organization. Its mission is to provide cyberdefense awareness, guidance and security solutions through collaboration, education, volunteer work and advanced training.

Related Articles:

Resources:

Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.